Welcome to NBlog, the NoticeBored blog

You don't need eyes to see: you need vision

Dec 19, 2016

Online infosec dictionary

ComplianceDictionary.com is an online dictionary of terms defined in various standards, laws, regulations etc., maintained by UCF, the Unified Compliance Framework.

I have a lot of respect for the UCF and have blogged about them before. They systematically collate and analyze a wide variety of laws, regulations and standards, helping clients identify the areas of commonality that equate to both savings and good practice. If a given security control satisfies numerous compliance obligations or expectations, it make business sense to implement it properly, once. It may even qualify as a critical control.

Just in case you are wondering, I have no financial interest in UCF and don't earn any commission from them. I do however admit to being envious of the idea underpinning UCF!

The Compliance Dictionary is essentially a search engine that spews out both informal and formally-defined explanations for information security-related terms. The first term I entered to check it out gave a disappointing but not altogether surprising result: my search on "acountable" led to the following:

That's one informal/uncited reference to a generic definition ("The expectations or requirement to justify actions or decisions") with links from the 'Relationships' diagram to further entries including definitions of "accountability":

Notice that only the last definition has a cited source ... but (at least as far as I'm concerned) 'accountability' is a fundamental concept underpinning information security. It makes the difference between someone simply saying that information is a valuable asset worth protecting, and adequately protecting it in practice in order to avoid being held to account for incidents.

'Responsibility' is another fundamental concept, one that is also formally undefined according to the Compliance Dictionary. 

More surprisingly still, Compliance Dictionary identifies no formal definitions of 'control' ... but I know of at least one definition within the compliance documents that UCF claims to track, namely ISO/IEC 27000:

So, based on this small sample, the Compliance Dictionary is a nice idea that fails in practice. I'm disappointed but not surprised.